Security Introduction

Security is a system

It is important to realize that security is a system of individual measures, each of which is not fully effective in isolation but which work effectively in tandem. As a system, it is only as strong as its weakest link.

To appreciate this concept, consider your local bank branch. It has a vault, a teller cage, a lock on the front door, a surveillance camera, an alarm system to summon the police, and an armored vehicle to transport cash to and fro.

Think about it: These measures are complementary, and each makes up for obvious shortcomings in the others.

Further, the security system can never be 100% effective, even though it can prevent most thefts.

Security impacts usability

Security always adversely impacts the ease of legitimate uses.

Returning to the bank branch example,

If the bank was willing to deny customer's access to their money, or even willing to make it harder for customers to access their money, security could be made more effective.

Letting customers in the front door also lets in the bad guys. Thus, any security system, to avoid unnecessarily getting in the way of legitimate uses, should counter the most credible threats and take into account the seriousness of any consequences.

Analogously, dealing with sensitive information (like student's grades or identity information for human research subjects) deserves more stringent (and hence more invasive) security measures than, say, the drafting of this course.

Major elements of security requires a combination of people and technology

People. In computer security, these include the users, as well as professional staff administering the computers and networks.

Using technology appropriately. There exist effective security technologies, but they have to be used properly, to be effective.

An important source of security lapses is the failure to use technologies properly. Human error (either users or system administrators) is also a frequent cause of lapses.

The most effective means to minimize human error is to employ technologies that are automatic and transparent, installed, configured, and maintained by professional system administrators.

But even with this professional administration, users still have an important role, including vigilance and avoiding common errors.

The following are essential elements of a security system:

Education. Users need to be aware of their risks and responsibilities, and understand how to use the technologies available to them and the consequences of innocent errors or omissions they may make.

Software. As the Internet provides global connectivity to any computer, security software preventing and detecting nefarious access is essential.

Services. Professional services should be made available to administrators to manage any computer, (especially those harboring sensitive data), install, configure, and maintain specialized security tools, and monitor for intrusions.Ê Users, especially those harboring sensitive data, should take advantage of these services.

Policies. Members of the communityshoul adhere to minimum security practices through the expression of mandatory policies. Focusing policies around credible means to follow them will also encourage wider compliance, although enforcement is generally necessary to ensure universal compliance.

Laws. It will always be possible for an insider or outsider to penetrate computer security through malfeasance. Laws provide for punishment as deterrence to this activity, and may also isolate the perpetrator from society so that they are unable to repeat this act.